Last quarter was dominated by data protection reform finally passing into law on the third attempt but this month feels like it has been dominated by something more concerning, cyber incidents. These have included an incident affecting a nursery chain, various airports (including Heathrow) being impacted due to an incident affecting check-in software, an incident severely impacting Jaguar Land Rover who had to shut down UK production factories (which has also severely impacted their wider supply chain), customers of Salesforce being targeted by vishing attacks and just as this update was being finalised Discord were dealing with an incident relating to an unauthorised party compromising one of its third-party vendors. These incidents are a reminder of the importance of robust cyber security measures, regular staff training and being prepared to react to and contain a cyber incident.
In other news:
1. International Transfers
In good news, the EU General Court rejected an action which sought to annul the EU-US Data Privacy Framework (on which the UK-US data bridge is based) and the European Commission has concluded that the UK’s legal framework (despite its reform) continues to provide data protection safeguards essentially equivalent to those in the EU which is positive news for the continuation of the EU’s UK adequacy decision.
2. New guidance
The ICO has published new guidance relating to profiling tools, disclosing documents securely (an important read for organisations dealing with DSARs) and finally encryption guidance.
3. New guidance consultations
The ICO has launched consultations relating to draft guidance on amendments made to the UK GDPR by the Data Use and Access Act (DUAA) – these relate to the new lawful basis of ‘recognised legitimate interest’ and the new requirement for all organisations to have a process in place to handle data protection complaints. The ICO has also opened a consultation on draft updated guidance on storage and access technologies (aka cookies).
4. ICO enforcement
The ICO fined a Scottish charity £18,000 after it mistakenly destroyed approximately 4,800 personal records, some of which were thought to be irreplaceable. These were hardcopy records with no digital copies made and one of the learning points the ICO highlighted from this case was the benefit of digitising records which they said can improve security, make access easier, and reduce the risk of accidental loss or destruction (so long as those digital systems are secure and backed up). This case also reminds us that data retention isn’t only about keeping personal data for too long, it’s also about taking care when deleting or destroying personal data.
5. Claims for non-material damage under the UK GDPR
In August the Court of Appeal handed down judgment in the case of Farley & Ors v Paymaster (trading as Equiniti). The main substance of the appeal related to whether claims for compensation for data breaches under the UK GDPR had to pass the threshold of seriousness set out in the Lloyd v Google case. The Court of Appeal said that losing control over personal data might give rise to a claim for damages if the claimants could demonstrate an objectively well-founded fear that their data could have been misused rather than one that was merely hypothetical or speculative. The Court said the UK should follow the CJEU’s approach as set out in the 2023 Österreichische Post case in which it was held that there was no threshold of seriousness to be passed in relation to non-material damages claims for breaches of the GDPR.
6. UK government response to ransomware consultation
In July the government published its response to the feedback it had received on its consultation on its ransomware legislative proposals. In its consultation the government proposed: a targeted ban on ransomware payments for owners and operators of regulated-critical national infrastructure and the public sector (there was majority support for this), a ransomware payment prevention regime (support for this was mixed) and a mandatory incident reporting regime (this also had majority support). As a result, the government is proceeding with all three legislative proposals.
________________________________________________________________________________________
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
